2010/10/03

Stuxnet and cyber warfare

.
I observed the topic of the Stuxnet worm (a software targeting industrial machine control devices, with apparently high degree of sophistication and apparently first active in Iran).

I don't really buy the assertion that this worm required a great project, some form of government backing or similar efforts for its creation. Those who deny the possibility that it might originate from a few hacker friends probably just don't know such competent and cross-qualified people.
It could of course be the product of some intelligence agency's effort to sabotage some production in Iran; neither the pro nor the contra is proven.


During dinner I watched CNN International and after a lot of boring and utterly uninteresting "business news" they finally reported about Stuxnet. It was interesting to see whom they interviewed; some guy from Kaspersky (they cited the competitor Symantec as well) and some Cambridge professor. There was no interview with some military or law enforcement or intelligence agency expert on the topic. Maybe the latter wouldn't comment, but I'm sure there are law enforcement departments specialized on computer crimes and these people would love to get CNN's attention in order to secure their future budget. The same should apply to those dubious "cyber defense" units that seem to pop up in some Western militaries.

Somehow, CNN didn't seem to suspect relevant competence in such agencies, and neither do I.

The Stuxnet case seems to be a good example about how civilian institutions - even for-profit companies - appear to be better suited for "defending" a country against software attacks.

Just last year, while researching a book on America's digital illiteracy, I met with the Air Force General then in charge of America's cybercommand. He said he had plenty of new recruits ready and able to operate drones or other virtual fighting machines - but no one capable of programming them, or even interested in learning how. He wasn't even getting recruits who were ready to begin basic programming classes.

The most effective and most efficient approach to "cyber defense" may be to push for the creation of some private sector anti-malware companies and sponsor some jobs at university computer security departments.

- - - - -

I wondered for a long time what exactly this photo from US Cyber Command (afaik) was meant to show, what kind of message it was meant to communicate:


This guy is probably supposed to look very concentrated and concerned, monitoring internet activity (or something else!?). The graphics are colourful and look like straight from a CSI TV series.
The graphics are also utterly useless. About as useless as his clothes' camouflage pattern. How competent does this guy look to you in the context of malware attacks? Looks can be misleading, but it's quite a photographer's professional negligence to not even insist on glasses.

A REAL anti-malware nerd would more likely read e-mails or very nerdy computer journals. He would look very focusedly at a source code, not at colourful graphics. Colourful graphics are the Hollywood version of professional software. He would use a normal about 20" diameter monitor or two, not some sci-fi-ish display like that one.

In short: He wouldn't even fit into the military. The intelligence services are forced to outsource much software-related activity because they cannot hire the real top talent, and neither can the military. The military's best shot at recruiting such top talent would be to ask judges and state attorneys to send computer criminals to them as part of legal deals.

- - - - -

Germany has an official "hacker" club, a club in a grey zone. The CCC is no criminal organization, but at the same time not exactly the wrong club if you want to find people who are competent enough for committing sophisticated computer crimes.
This CCC and the Russian network of spammers (bot nets) and hackers in the St. Petersburg area are good examples for civilian competence centres for offensive and defensive computer activities (the Russians also have Kaspersky). They could easily pull off major attacks of the Stuxnet scale without even mobilizing a substantial portion of their potential.

The (published) military efforts in regard to defensive and offensive computer actions appear incompetent and futile (if existing at all) in comparison.

The militarization of computer attacks and defence against the same looks to me like a perfectly predictable bureaucratic expansion. The theory of bureaucracy predicts such behaviour just fine.
What seems to be missing is a rigorous analysis of the optimum for software attacks and defence. The military isn't only late by almost two decades - it's the antithesis to the perfect organization for such activities. It's way beyond my understanding how anyone could think that setting up a "Cyber Command" was a good idea and not a 95+ % waste of taxpayer money.

- - - - -

The best defence and offence in the realm of software combat are to be found in the private sector. I think the offence is best managed by intelligence services while defence is best managed by non-profit enterprises and scientific centres, both supported with a very moderate amount of taxpayer money.
A militarization of either or even a "Cyber warfare" look like very bad ideas to me.

Conflict through software attacks is novel and thus still interesting. The topic justifies much intellectual and expert thinking. It's probably comparable to trade wars and diplomatic cold wars because there's no violence involved.
The very special characteristics of software attacks are the difficulty of tracing back attacks and an often marginal control over consequences. The effects of malware are especially difficult to predict - unlike the effects of a denial-of-service attack, for example. Both offer much food for thought.


Sven Ortmann
.

3 comments:

  1. I read the 46 pager Symantec put out about Stuxnet. I also have background as (assembler level) programmer for industrial applications and as professional IT manager. There is no way Stuxnet was made by a simple group of hackers. It is a 20+ men-year project and part of the hack was physically stealing two certificate keys likely in Taiwan. Open source programming is great and can do a lot if and only if there is free information flow. But building Stuxnet required extreme information restrain and was not an open source project.

    On your other points you are correct. Defense against cyber attacks is mostly rigorous network and system management - discipline - something the military can get done. The best defense though is NOT to depend on these systems in the first place, just like a tank battalion should be able to do its job without radios when needed, the military as a whole needs to able to work when these systems are down. This must be trained!

    Offensive capabilities best fit into civil organizations - some crazy techy department of this or that secret service. There are so many possible attack axises that it would be real fun to work there :-)

    ReplyDelete
  2. I looked at it as well and am no software illiterate either. We can agree to disagree about Stuxnet, but I'd like to lay out why I am not convinced:

    I've encountered enough people who were so much above average that two or three of them combined could easily beat a normal team of 20 in their field of expertise.

    There are billions of people on this world, malware has been in existence for decades - there was a good statistical probability of such a perfect storm.

    I'm sure that two or three real aces could pull it off. All they needed was knowledge, some access and some time (and judging by Symantec's timeline, they took years!).

    ReplyDelete
  3. i'm with b.
    This was so far above flirting with the receptionist till she gives you her password its not even funny.

    ReplyDelete